Threats Feed|Charming Kitten|Last Updated 17/01/2024|AuthorCertfa Radar|Publish Date23/08/2022

Charming Kitten's HYPERSCRAPE Tool Found Stealing User Data from Email Accounts

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Compromised Credentials
  • Attack Complexity: Low
  • Threat Risk: Low Impact/Low Probability

Threat Overview

A new tool called HYPERSCRAPE, discovered by Google Threat Analysis Group in December 2021, has been found to be used by Charming Kitten to steal user data from Gmail, Yahoo and Microsoft Outlook accounts. HYPERSCRAPE requires the victim's account credentials to run, and once logged in, it changes the account's language settings to English, downloads messages individually as .eml files, and reverts the language back to its original settings once the inbox has been downloaded.

Detected Targets


Extracted IOCs

  • 03d0e7ad4c12273a42e4c95d854408b98b0cf5ecf5f8c5ce05b24729b6f4e369
  • 1a831a79a932edd0398f46336712eff90ebb5164a189ef38c4dacc64ba84fe23
  • 35a485972282b7e0e8e3a7a9cbf86ad93856378fd96cc8e230be5099c4b89208
  • 5afc59cd2b39f988733eba427c8cf6e48bd2e9dc3d48a4db550655efe0dca798
  • 6dc0600de00ba6574488472d5c48aa2a7b23a74ff1378d8aee6a93ea0ee7364f
  • 767bd025c8e7d36f64dbd636ce0f29e873d1e3ca415d5ad49053a68918fe89f4
  • 977f0053690684eb509da27d5eec2a560311c084a4a133191ef387e110e8b85f
  • ac8e59e8abeacf0885b451833726be3e8e2d9c88d21f27b16ebe00f00c1409e6
  • cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa
  • 136[.]243.108.14
  • 173[.]209.51.54

Tip: 11 related IOCs (2 IP, 0 domain, 0 URL, 0 email, 9 file hash) to this threat have been found.